What is the Difference Between Confidentiality and Privacy in SOC 2?

This is a question that we often get asked by our clients. Both criteria can cause some confusion as they may seem to overlap and they often get talked about as one and the same, but they have different definitions.

Confidentiality and Privacy are two out of five possible Trust Services Criteria (TSC) that can be included in a SOC 2 audit.

In the SOC 2 audit guide from the American Institute of Certified Public Accountants (AICPA) they are defined as follows:

Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in generally accepted privacy principles (GAPP).

Confidentiality: Information designated as confidential is protected as committed or agreed.

So, the main difference between privacy and confidentiality is that Privacy protects the personal data of individuals while Confidentiality protects non-personal data.

If your business collects data directly from data subjects that is where privacy kicks in and if you don’t collect data directly from individuals then it doesn’t apply and you don’t need to include the Privacy TSC.

For example, if you collect medical records directly from individuals who are detailed in those records, then the Privacy TSC applies but if you have a system that collects medical records but you don’t have access to the medical records then it doesn’t apply.

Personally identifiable information (PII) is any data that could potentially identify a specific individual such as date of birth.

Although there is no one definition for PII, the following list could be considered PII if enough data was breached in a compromise.

• Full name

• Date of birth

• Home address

• Billing address

• Passport information

• Driving licence number

• National insurance or social security number

Confidential information is not as easily defined as personal information because any personal or non-personal information or data can be deemed, classified or labelled as confidential, and once it is deemed, classified or labelled , it needs to be protected accordingly.

Classification of confidential information often varies significantly from one company to another. What one business classifies or deems as confidential another business might not. Some examples of confidential information include strategic business plans, customer contracts and financial information.

Is There a Difference Between Security and Privacy?

Security is the only TSC that is required in SOC 2. It is the common criteria and covers the controls from the other areas including availability, confidentiality, processing integrity, and privacy.

The privacy TSC is needed when a service organisation interacts directly with the individuals whose personal information they process on behalf of their clients.

What is Included in the Privacy TSC?

The privacy TSC gives independent assurance that the staff of a service organisation adhere to good privacy and data protection practices.

A SOC 2 audit report that includes the privacy TSC includes a CPA auditors’ opinion as to an organisation’s compliance with the Trust Services Criteria on Privacy.

The Privacy criteria should be looked upon as a collection of processes, procedures, documents, and policies for ensuring the safety and security of highly sensitive consumer/client data.

The framework developed by the Privacy Task Force is called the Generally Accepted Privacy Principles (GAPP). The GAPP consists of ten privacy principles, which are reviewed as part of the SOC 2 Privacy Criteria. The privacy principles are listed and summarised below:

1. Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4. Collection. The entity collects personal information only for the purposes identified in the notice.

5. Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

6. Access. The entity provides individuals with access to their personal information for review and update.

7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).

9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.

What is Included in the Confidentiality TSC?

The Confidentiality TSC ensures that data deemed or classified as confidential information is kept secure. When testing the effectiveness of controls around the confidentiality TSC the auditor will review your defined data classifications and ensure that they are in place and are effective and ultimately protecting the confidentiality of the data.

Specific areas confidentiality will cover:

• Identification of confidential information: Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.

• Protection of confidential information from destruction: Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information.

• Destruction of confidential information: Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached.

Summary

In summary, Privacy protects the personal data of individuals while Confidentiality protects non-personal data. In a nutshell, if your organisation collects personal data or PII directly from individuals that that data concerns then you will need to include the Privacy TSC in a SOC 2 report.

Need Help With SOC 2?

Find out more about our SOC 2 Consultancy Services or contact us using the button below.